What's missing from cloud security

As cloud catches on, administrators need incident response plans and a trained workforce, RSA speaker says

SAN FRANCISCO — Cloud computing is moving from early adoption into a more mature, operational phase, but IT administrators still face challenges in ensuring security and creating a professional workforce to administer it, said Jim Reavis, executive director of the Cloud Security Alliance.

“We’re not spending as much time on awareness,” Reavis said. “We’re spending more time to help organizations operationalize their cloud strategy.”

CSA, an industry organization promoting best practices for security assurance in cloud computing, held a half-day summit Monday in conjunction with this week’s RSA Security Conference. The annual RSA conference for the first time this year includes a separate track devoted to cloud security, which Reavis said is an indication that the technology is maturing.


Related coverage:

NIST guide tackles security challenges of public cloud computing

4 reasons the cloud is safer than you thought


“It’s a reflection of the fact that people are doing real things in cloud computing,” he said.

Cloud computing moves resources into a shared environment, available on demand rather than depending on dedicated in-house systems. The potential for flexibility, cost savings and increased efficiency has made it a popular concept, and the Obama administration has identified it as a major part of the future of government computing.

But as with any new technology, it comes with the risk of new security threats that CSA is trying to stay ahead of.

“We have learned from previous technical innovations that we cannot ignore security,” Reavis said. “We are being more proactive. We are dealing with such accelerated innovation in the cloud that there will continue to be a lot of risk if we don’t maintain eternal vigilance.”

One of the alliance’s current efforts is an incident response research program with cloud providers and security experts to understand the processes needed to respond to security incidents.

“We know that how we respond is impacted by the cloud,” Reavis said. An attack on one organization hosted in the cloud could affect multiple service providers, who should be able to share information, he added. What to share and how to do it effectively has not been worked out yet. “That’s the problem we are trying to get ahead of.”

The alliance also is working to professionalize the cloud workforce and has established a user certification program for IT professionals working in the cloud. It is a Web-based testing program based on the Security Guidance for Critical Areas of Focus in Cloud Computing, a catalog of best practices first released by CSA in 2009. Most of the material covered in the certification is unique to cloud computing and not covered under other security certification programs, Reavis said.

Although it was introduced in September, CSA has done little outreach to promote the program so far, Reavis said. Still, “we’re seeing pretty aggressive adoption,” although the number of people certified has not been released. He said the pass rate is about 55 percent, which is “right in line with what you want for meaningful certification.”

The current program is designed to deliver a baseline awareness of cloud security issues, and the alliance hopes to expand it to a more technical certification next year as training opportunities grow. Reavis said CSA plans to add online and in-person training programs this year.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Jul 8, 2011 Jim Kelleher Fort Knox, KY

One of the lessons I've learned over the years is "we never have the time to do it right the first time but we always have time to do it over!" Since cloud computing is the way of the future now is the time to develop the "Built in Protection" that good security implementation will provide. It may be a challenge but it will be worth the effort.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above